Restrict or enable access to a service application (SharePoint 2013)

Summary: Learn how to restrict access to a service application by adding and removing services accounts and reestablish local farm-wide access to a service application in SharePoint 2013.

In SharePoint 2013, you can restrict the access to a service application so that the service application is available to only specified web applications.

By default, all service applications on the local farm are available to all web applications on the local farm. You might want to restrict access to a service application if you host multiple customers on the same farm, and you want to isolate one customer's service applications from another customer’s web application.

If you restrict access to a service application and you later decide that you want to make it available to the whole farm, you can remove the restriction.

Because SharePoint 2013 runs as websites in IIS, administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

To restrict access to a service application, remove service accounts from the service application. Conversely, to enable access to a service application, add service accounts to the service application. You can perform these tasks by using Central Administration or by using Windows PowerShell 3.0.

To restrict access to a service application, you must complete the following tasks:

Add a specific service account to the service application.

Remove the local farm ID from the service application.

Note:

The procedures in this article describe how to restrict or restore access to a service application. However, you can follow the steps in the procedures to add any service account to any service application or to remove any service account from any service application.
For example, the To restore local farm-wide access to a service application by using Central Administration procedure explicitly describes how to add the local farm ID to a service application. You can use the same procedure to add any other service account to a service application. To do this, you provide the appropriate service account instead of the local farm ID.

Because the local farm ID provides local farm-wide access to the service application by default, it is redundant to also grant explicit local web application permissions to a service application unless you also remove the local farm ID.

To grant permissions to a service application, you must retrieve and supply the appropriate service account. For a web application, this account is also known as an application pool identity account.

After you grant permissions to a service account and remove the local farm ID from a service application, only web applications that are managed by the assigned service account can access the service application. You can assign multiple web applications (that have different managing service accounts) to the same service application by repeating these procedures and adding the various web application service accounts to the service application.

Warning:

If you remove the local farm ID from a service application and do not assign any other service account to that service application, the service application becomes unavailable to all web applications.

To retrieve a web application service account by using Central Administration

Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

On the Central Administration Home page, in the Security section, click Configure service accounts.

On the Service Accounts page, select the web application name from the first drop-down list.

The service account is shown in the Select an account for this component list. Record the service account name because you'll use it in the next procedure.

Click Cancel to exit the Service Accounts page without making any changes.

To grant and remove permissions for service accounts to access a service application by using Central Administration

Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

On the Central Administration Home page, in the Application Management section, click Manage service applications.

On the Manage Service Applications page, click the row that contains the service application for which you want to assign permissions.

The ribbon becomes available.

In the Sharing group of the ribbon, click Permissions.

In the Connection Permissions dialog box, type the service account name that you retrieved in the previous procedure, and then click Add.

Ensure that the newly-added service account name is selected in the middle pane, and then click the appropriate check box in the bottom pane to supply the required permission level.

In the middle pane, click Local Farm, and then click Remove.

Verify that the Connection Permissions page now lists only the service account that you want to access the service application, and that the service account has the required permissions on the service application. Click OK to change the permissions, or click Cancel to end the task without making changes.

You can grant and remove permissions for any service account by using this procedure.

Note:

To restore the local farm ID to the service application by using Central Administration requires an additional step that does not apply to other service accounts. For information about how to do this, see Restoring farm-level access to a service application later in this article.

All procedures in this section assume that you have the appropriate permissions and have opened the Windows PowerShell 3.0 Command Prompt window, as described in the To start a Windows PowerShell session procedure later in this section.

The process that restricts access to a service application by using Windows PowerShell is more complex than performing the same task by using Central Administration. In Windows PowerShell, you'll use some procedures to collect and store information for input into later procedures.

After you have started Windows PowerShell, the remaining steps to restrict access to a service application are as follows:

Retrieve the local farm ID.

Retrieve the web application service account.

Create a new claims principal that contains the web application service account.

Retrieve the security object of the service application.

Add the web application service account to the security object of the service application.

Remove the local farm ID from the security object of the service application.

Administrators group on the server on which you are running the Windows PowerShell cmdlets.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

Note:

If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.

<ServiceApplicationDisplayName>is the display name of the service application.

Important:

You must enclose the display name in quotation marks, and it must exactly match the service application display name. This includes capitalization. If you have more than one service application that has the same display name (we do not recommend this), you can run the Get-SPServiceApplication cmdlet without arguments to view all service applications. You can then identify the service application directly by its GUID. For example:Get-SpServiceApplication
All service applications are listed. $spapp = Get-SpserviceApplication -Identity <GUID>$spguid = $spapp.id
Where <GUID> is the GUID for the service application for which you want to update permissions.

To update the service application security object by using the preferred permissions

The first step to update the service application security object is to add the new claims principal $principal to the service application security object $security. To do this, type the following command:

<Rights> is the permissions that you want to grant. Typically, this will be Full Control. The available permissions can vary between service applications.

Tip:

If you do not want to grant Full Control permissions, and you do not know what permissions can be granted to the service application, you can run the following commands to return the available permissions strings:$rightslist = Get-SPServiceApplicationSecurity $spapp $rightslist.NamedAccessRights

To remove the local farm ID (that is stored in the $farmID variable) from the service application security object $security, type the following command:

You can restore farm-wide access to a service application by adding the local farm ID to the service application. You can do this by using Central Administration or by using Windows PowerShell commands. However, you must use Windows PowerShell 3.0 to obtain the local farm ID.

If you want to restore farm-wide access by using Central Administration, copy this value into the clipboard for use in the following procedure.

If you want to restore farm-wide access to the service application by using Windows PowerShell, type the following additional commands at the Windows PowerShell command prompt. You'll use the retrieved information in the following procedure.

<ServiceApplicationDisplayName>is the display name of the service application.

Important:

You must enclose the display name in quotation marks, and it must exactly match the service application display name. This includes capitalization. If you have more than one service application that has the same display name (we do not recommend this), you can run the Get-SPServiceApplication cmdlet without arguments to view all service applications. You can then identify the service application directly by its GUID.

In the following example, the administrator wants to restrict access to the "Contoso BDC" service application to the http://contoso/hawaii web application, which is managed by the service account "contoso\jane." By adding "contoso\jane" and removing the local farm service account from the service application, "Contoso BDC" is restricted to only those web applications that are managed by the service account "contoso\jane" - in this case, http://contoso/hawaii.